IT Security Alert: Now PDFs Pose a Threat!

Update: According to IT security types, certain versions of Internet Explorer are also vulnerable. They include:

• IE6, Adobe Reader 7 on XP SP1
• IE6, Adobe Reader 4 on XP SP2

I just received a very alarming alert from my daughter who works in IT security. According to a couple of posts that she forwarded to me, the long-trusted PDF document format can now be exploited for cross-site scripting purposes, meaning that any web site hosting PDF files can be used for perpetrating cyber attacks.

According to this CBC News article, which cites research from Symantec and VeriSign, virtually any website hosting PDF files is vulnerable to attack. The outcomes could range from covert spying on surfers to the creation and spread of dangerous worms.

The intrusion is accomplished through Javascripted links to PDF documents, which could also be sent by email. They take advantage of a vulnerability in the Acrobat Reader to run malicious code when users attempt to open the linked file. The technique appears, for once, to target Firefox rather than IE.

This article from Symantec describes the exploit in more detail and outlines ways to protect yourself, including upgrading to Acrobat Reader 8.0 or disabling the plug-in entirely. Don't miss it!